A conventional authentication system includes an authentication client which runs authenticator software (sometimes called a soft token) and an authentication server which work together to grant a holder of the authentication client with access to an electronic resource using one-time use passwords (OTPs). Such OTPs are often referred to as OTP codes, one-time passcodes, and pseudo-random numbers, among other terms. To this end, both the soft token and the authentication server share a cryptographic key which is not otherwise known. The soft token uses the cryptographic key to produce a series of OTPs. Concurrently, the authentication server carries out the same operations on its end to produce the same series of OTPs. Accordingly, at any time, the holder of the soft token is capable of providing a matching OTP to the authentication server to prove that the holder possesses the soft token.
Prior to activation of the soft token on the authentication client, the soft token is provisioned with an initial seed. Additionally, the soft token takes other input prior to activation such as a time input and an initial key generation algorithm.
However, once the soft token is activated to begin producing a series of OTPs, the soft token is prevented from accepting further provisioning input. Rather, the soft token becomes tamper resistant once it begins producing OTPs. In some instances, the soft token may be configured to stop operation if the soft token detects tampering.